NowSecure was excited to participate in the ATARC Federal Mobile Technology Summit in Washington, D.C., on Thursday to focus on secure mobile tools and techniques used by federal agencies. Our recent benchmark analysis found that 25% of the top public U.S. government mobile apps have security or privacy flaws were a prime topic of conversation. We’re happy to discuss the results with you and offer a free risk assessment for a third-party mobile app of your choice.
Your highlights from this week are as follows:
- Air Canada mobile app breach may affect 20,000 customers
- Fortnite flaw makes it susceptible to Man-in-the-Disk attack
- Learn more about the Frida development toolkit
- In a single minute, $1.1 million is lost to cybercrime
- Phishing attacks that exploit WhatsApp are on the rise
- Android device innovations improve authentication
- West Virginia mobile blockchain ballot pilot garners scrutiny
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Air Canada confirms mobile app data breach
“According to an email to customers, attackers may have accessed basic profile data, including names, email addresses and phone numbers — but also more sensitive data that users may have added to their profiles, including passport numbers and expiry date, passport country of issuance, NEXUS numbers for trusted travelers, gender, dates of birth, nationality and country of residence.”
“Google researchers recently discovered that the same Man-in-the-Disk attack can be applied to the Android version of the popular game Fortnite. To download the game, users need to install a helper app first. This, in turn, is supposed to download the game files. But by using the Man-in-the-Disk attack, a crook can trick the helper into installing a malicious application.”
The Man-in-the-Disk attacks illustrate that mobile app developers should take care when using external storage. Google offers some pertinent suggestions for Android developers and NowSecure experts provide a comprehensive development guide for safeguarding data in our “Secure Mobile Development Best Practices” eBook. Download it here.
“Due to its ability to hook into processes dynamically, developers can rapidly develop tools using Frida. For example, in an Android application process, this can be hooked into to extract the output of the process itself, meaning that any additional functionality can be added with minimal effort.”
Did you know that Frida creator Ole André Vadla Ravnås and Radare2 creator Sergi “Pancake” Álvarez work alongside each other at NowSecure? Hear both of them discuss the use of their tools for mobile appsec testing in this recorded webinar.
Hackers steal $1 MILLION from the world’s economy every 60 seconds
(Daily Mail Online)
“Hackers steal $1 million (£0.8m) from the world’s economy every 60 seconds, according to a worrying new report. Researchers found that hackers were driven by a range of motives, including monetary gain, politics and espionage.”
WhatsApp: Mobile Phishing’s Newest Attack Target
“Mobile phishing is a topic that just won’t go away. According to Verizon, 90% of all data breach incidents begin with a phish — and mobile is the fastest-growing vector of attack. Our research shows a new phishing site is created every 20 seconds.”
The most interesting smartphone innovations in the last year (or so)
“Whereas previous facial identification in phones focused on verifying an image of the user’s face using the device’s general-purpose front-facing camera — a method that doesn’t work well in the dark and can be easily duped using a photograph — Face ID projects an array of infrared dots, creating a three-dimensional map the phone reads to verify your identity.”
Mobile Blockchain Ballot Trial Raises Voting Security Questions
“Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, a digital rights group, believes smartphone voting is too unproven to use during this year’s elections. ‘I don’t know why everyone’s solution to things lately is ‘rub some blockchain on it,’” he said. “Blockchain voting methods typically mean you are doing internet voting — which is a horrifically bad idea — and committing encrypted ballots to the blockchain.’ ”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.